Download as PDF, PPTX
More Related Content
Similar to Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
- 1. djlogo.jpg Lecture #18-20: WebApplications Security Dr.Ramchandra Mangrulkar September 14, 2020 Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 1 / 25
- 2. djlogo.jpg Contents OWASP Web- A UserSide Web Browser : Architecture, Vulnerabilities and Attacks Web Application Security Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 2 / 25
- 3. djlogo.jpg OWASP Source1 1 https://owasp.org Dr.Ramchandra Mangrulkar Lecture#18-20: Web Applications Security September 14, 2020 3 / 25
- 4. djlogo.jpg Web-User/Client Side The browseris the core client-side component. Its counterpart is the web server. Web- A User Side Cookies HTTPS and SSL Web Browser : Working and Attacks Web Application Security Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 4 / 25
- 5. djlogo.jpg The Browser Architecture:Overview Overview of the communication between the web servers and web browsers. The web server and a browser typically running in separate machines. Only the web server has access to the local disk. The browser only has access to the local disk by asking the user for permission The web server and the browser communicate over the network. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 5 / 25
- 6. djlogo.jpg The Web Browserarchitecture Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 6 / 25
- 7. djlogo.jpg The Web Browserarchitecture cont... The User Interface subsystem -provides features such as toolbars, visual page-load progress, smart download handling, preferences, and printing. -may be integrated with the desktop environment to provide browser session management or communication with other desktop applications. Browser Engine -a high-level interface to the Rendering Engine. -loads a given URL and supports primitive browsing actions such as forward, back, and reload. -provides hooks for viewing various aspects of the browsing session such as current page load progress and JavaScript alerts. -allows the querying and manipulation of Rendering Engine settings. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 7 / 25
- 8. djlogo.jpg The Web Browserarchitecture cont... Rendering Engine -visual representation for a given URL. -displaying HTML and XMLdocuments, optionally styled with CSS, embedded content ( images) -IE(Trident), Firefox(Gecko), Safari, Chrome and Opera(Webkit). -Chrome runs various instances of this engine with various tabs. Networking subsystem -implements file transfer protocols such as HTTP and FTP. JavaScript Interpreter -evaluates JavaScript code, which may be embedded in web pages. XML Parser subsystem -parses XML documents into a Document Object Model (DOM) tree2 . -The most reusable subsystems in the architecture. 2 Document Object Model (DOM) tree is a web page representation that can be accessed and modified by the script codeDr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 8 / 25
- 9. djlogo.jpg The Web Browserarchitecture cont... Display Back-end subsystem (UI Backend) -provides drawing and windowing primitives, a set of user interface widgets, and a set of fonts. - may be tied closely with the operating system. Data Persistence subsystem - stores various data associated with the browsing session on disk. - high-level data such as bookmarks or toolbar settings, - or it may be low-level data such as cookies, Preferences, security certificates, or cache. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 9 / 25
- 10. djlogo.jpg The Web BrowserMArket Share a a NetMarketShare:Marketshareformobile,browsers,operating. ..netmarketshare.com Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 10 / 25
- 11. djlogo.jpg Home Assignment Microsoft Edge https://blogs.windows.com/msedgedev/2016/04/20/ building-a-more-accessible-web-platform/ GoogleChrome https://medium.com/@zicodeng/ explore-the-magic-behind-google-chrome-c3563dbd2739 Firefox https://blog.mozilla.org/standard8/2015/06/30/ firefox-hello-desktop-behind-the-scenes-architecture/ Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 11 / 25
- 12. djlogo.jpg Why to worryfor Browsers Security A browser often connects to more than the one address Fetching data can entail accesses to numerous locations Browser software can be malicious or can be corrupted to acquire malicious functionality. Browsers support add-ins, extra code to add new features to the browser, but these add-ins themselves can include corrupting code. Data display involves a rich command set that controls rendering, positioning, motion, layering, and even invisibility. The browser can access any data on a user’s computer.The browser runs with the same privileges as the user. Data transfers to and from the user are invisible, meaning they occur without the user’s knowledge or explicit permission. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 12 / 25
- 13. djlogo.jpg Browser Attacks :Three Attacks Vectors Go after the operating system so it will impede the browser’s correct and secure functioning. Tackle the browser or one of its components, add-ons, or plug-ins so its activity is altered Intercept or modify communication to or from the browser. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 13 / 25
- 14. djlogo.jpg Browser Attacks :Three Attacks Vectors 3 3 https://zeltser.com/targeting-web-browser-user/ Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 14 / 25
- 15. djlogo.jpg Browser Attacks Man-in-the-Browser Keystroke Logger Page-in-the-Middle ProgramDownload Substitution User-in-the-Middle Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 15 / 25
- 16. djlogo.jpg Man-in-the-Browser Attack Man-in-the-browser isa form of man-in-the-middle attack. An attacker is able to insert himself into the communications channel between two trusting parties by compromising a Web browser. Purpose is for eavesdropping, data theft and/or session tampering. attackers to carry out various forms of financial fraud, typically by manipulating Internet Banking Services. In order to compromise the browser, adversaries can take advantage of security vulnerabilities and/or manipulate inherent browser functionality to change content, modify behavior, and intercept information. Various forms of malware,e.g. Trojan horse, can be used to carry out the attack. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 16 / 25
- 17. djlogo.jpg Man-in-the-Browser Attack 4 4 https://www.kratikal.com/There aremany examples for man-in-the-browser malware and attack campaigns targeting online banking and other internet services. Infamous names of malware used include: Zeus, Spyeye, Bugat, Carberp, Silon, Tatanga, and more. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 17 / 25
- 18. djlogo.jpg Keystroke Logger A keystrokelogger (or key logger) is either hardware or software that records all keystrokes entered. The logger either retains these keystrokes for future use by the attacker or sends them to the attacker across a network connection. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 18 / 25
- 19. djlogo.jpg Page-in-the-Middle Attack A page-in-the-middleattack is another type of browser attack in which a user is redirected to another page. when the user clicks “login” to go to the login page of any site, the attack might redirect the user to the attacker’s page, where the attacker can also capture the user’s credentials. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 19 / 25
- 20. djlogo.jpg Program Download Substitution Coupledwith a page-in-the-middle attack is a download substitution. The attacker presents a page with a desirable and seemingly innocuous program for the user to download, for example, a browser toolbar or a photo organizer utility. Attack also defeats users’ access controls that would normally block software downloads and installations, because the user intentionally accepts this software. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 20 / 25
- 21. djlogo.jpg User-in-the-Middle Attack puts ahuman between two automated processes so that the human unwittingly helps spammers register automatically for free email accounts. A CAPTCHA is a puzzle that supposedly only a human can solve, so a server application can distinguish between a human who makes a request and an automated program generating the same request repeatedly. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 21 / 25
- 22. djlogo.jpg Web Applications Securityvulnerabilities (Risks) Injection -Injection flaws, such as SQL, NoSQL, OS, and LDAP injection Broken Authentication -Application functions implemented incorrectly -allowing attackers to compromise passwords, keys, or session tokens Sensitive Data Exposure -applications do not properly protect sensitive data, such as financial, healthcare. XML External Entities (XXE) - disclose internal files using the file URI handler -internal file shares, internal port scanning, remote code execution, and denial of service attacks. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 22 / 25
- 23. djlogo.jpg Web Applications Securityvulnerabilities (Risks) Broken Access Control - Restrictions on what authenticated users are allowed if not properly enforced. -exploit these flaws to access unauthorized functionality and/or data Security Misconfiguration - result of insecure default configurations - frameworks, libraries, and applications be securely configured & must be patched/upgraded in a timely fashion. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 23 / 25
- 24. djlogo.jpg Web Applications Securityvulnerabilities (Risks) Cross-Site Scripting XSS -includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. -to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization -remote code execution. -used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities -Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. -an attack can facilitate serious data loss or server takeover. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 24 / 25
- 25. djlogo.jpg Web Applications Securityvulnerabilities (Risks) Insufficient Logging Monitoring -allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 25 / 25